How OpenPGP identity proofs work

Decentralized OpenPGP identity proofs

Decentralized OpenPGP identity proofs are the brainchild of Wiktor who wrote the original guide on his website (a suggested read to get first-hand information).

Unlike proofs provided by for example Keybase, OpenPGP proofs are stored inside the PGP keys themselves instead of being mere signatures. Since this operation requires keys with “certify” capabilities and not simply “sign” capabilities, these OpenPGP proofs could be considered more secure.


What an OpenPGP proof looks like

Every OpenPGP identity proof is stored in the PGP key as a notation that looks like this:

This particular proof is for a Twitter account (read more in the Twitter guide). Let’s analyse the notation:

The proof should always link to a document that can be parsed as JSON to make the verification easy and feasible by the browser. Sometimes however, due to CORS restrictions or API requirements (as is the case for Twitter), no such link is provided by the platform. In these rare exceptional cases, the verification process is delegated to the Keyoxide server which will communicate directly with the platform’s servers to get the content of the post.

Your turn

If you’d like to add decentralized OpenPGP identity proofs to your key, go to the guides and find the right one for your platform of choice. You may find the process to be remarkably easy.

If your platform is not in the list of guides, it’s not supported yet. See the contributing guide for more information on how to get that platform supported.